Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-13590

CVE-2025-13590: WSO2 API Control Plane RCE Vulnerability

CVE-2025-13590 is a remote code execution vulnerability in WSO2 API Control Plane allowing admins to upload malicious files via REST API. This post covers the technical details, affected versions, security impact, and mitigation.

Published:

CVE-2025-13590 Overview

CVE-2025-13590 is an arbitrary file upload vulnerability affecting multiple WSO2 products. A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location within the deployment via a system REST API. Successful exploitation of this vulnerability may lead to remote code execution, allowing attackers to upload specially crafted payloads and execute arbitrary code on the target system.

Critical Impact

Authenticated administrators can achieve remote code execution by uploading malicious files through the REST API, potentially compromising the entire WSO2 deployment and underlying infrastructure.

Affected Products

  • WSO2 API Control Plane versions 4.5.0 and 4.6.0
  • WSO2 API Manager versions 4.2.0, 4.3.0, 4.4.0, 4.5.0, and 4.6.0
  • WSO2 Traffic Manager versions 4.5.0 and 4.6.0
  • WSO2 Universal Gateway versions 4.5.0 and 4.6.0

Discovery Timeline

  • February 19, 2026 - CVE-2025-13590 published to NVD
  • February 19, 2026 - Last updated in NVD database

Technical Details for CVE-2025-13590

Vulnerability Analysis

This vulnerability exists in the system REST API of multiple WSO2 products, which fails to properly validate and restrict file uploads. The flaw allows authenticated administrators to upload files to arbitrary locations within the deployment directory structure. While exploitation requires administrative privileges, the ability to write arbitrary files to controlled locations creates a direct path to remote code execution.

The attack requires network access to the vulnerable REST API endpoint. Once an attacker with administrative credentials accesses the API, they can upload malicious files—such as web shells or backdoor scripts—to locations where they will be automatically executed by the application server or accessed through web requests.

Root Cause

The vulnerability stems from insufficient validation in the file upload functionality of the system REST API. The API fails to adequately restrict:

  1. The types of files that can be uploaded
  2. The destination paths where files can be written
  3. The content validation of uploaded files

This lack of proper input validation and path restrictions allows attackers to bypass intended security controls and place executable content in sensitive locations within the WSO2 deployment.

Attack Vector

The attack is network-based and follows this general pattern:

  1. An attacker obtains or compromises administrative credentials for the WSO2 platform
  2. The attacker identifies and accesses the vulnerable REST API endpoint
  3. A specially crafted payload (such as a JSP web shell) is uploaded through the API
  4. The file is written to a web-accessible or executable location within the deployment
  5. The attacker triggers execution of the uploaded payload, achieving remote code execution

The vulnerability mechanism involves improper file path and content validation in the REST API upload functionality. For detailed technical information, refer to the WSO2 Security Advisory WSO2-2025-4849.

Detection Methods for CVE-2025-13590

Indicators of Compromise

  • Unexpected files appearing in WSO2 deployment directories, particularly web-accessible locations
  • Unusual file extensions or suspicious file names in application directories (e.g., .jsp, .war, .sh)
  • Anomalous REST API calls to file upload endpoints from administrative accounts
  • Web shell signatures or backdoor files in the deployment structure

Detection Strategies

  • Monitor REST API audit logs for unusual file upload activities, especially to non-standard directories
  • Implement file integrity monitoring on WSO2 deployment directories to detect unauthorized file changes
  • Review administrative account activity for suspicious API interactions
  • Deploy web application firewalls (WAF) configured to detect file upload exploitation patterns

Monitoring Recommendations

  • Enable comprehensive logging for all REST API endpoints, particularly administrative functions
  • Configure alerts for file creation events in sensitive directories within the WSO2 deployment
  • Monitor for outbound network connections from the WSO2 application that may indicate command-and-control communication
  • Regularly audit administrative account access patterns and credentials

How to Mitigate CVE-2025-13590

Immediate Actions Required

  • Apply the security patches provided by WSO2 immediately for all affected product versions
  • Review and audit all administrative accounts and credentials for potential compromise
  • Conduct a security assessment of WSO2 deployments to identify any indicators of previous exploitation
  • Restrict network access to administrative REST API endpoints using firewalls or access control lists

Patch Information

WSO2 has released security updates addressing this vulnerability. Organizations should review the WSO2 Security Advisory WSO2-2025-4849 for specific patch versions and upgrade instructions for each affected product.

Affected versions requiring updates:

  • WSO2 API Control Plane: 4.5.0, 4.6.0
  • WSO2 API Manager: 4.2.0, 4.3.0, 4.4.0, 4.5.0, 4.6.0
  • WSO2 Traffic Manager: 4.5.0, 4.6.0
  • WSO2 Universal Gateway: 4.5.0, 4.6.0

Workarounds

  • Implement strict network segmentation to limit access to administrative REST API endpoints
  • Enforce multi-factor authentication for all administrative accounts
  • Deploy a web application firewall with rules to inspect and block suspicious file upload requests
  • Regularly rotate administrative credentials and implement the principle of least privilege
bash
# Network-level restriction example for administrative API endpoints
# Restrict access to WSO2 admin APIs to trusted management networks only
iptables -A INPUT -p tcp --dport 9443 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 9443 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.